GRC Analyst

Job Title: GRC Analyst II

Location: Remote within CST

Employment Type: Full-Time

Salary: 100-110k


Position Summary:

A direct client is seeking a detail-oriented and experienced GRC (Governance, Risk, and Compliance) Analyst II to support the continued development and execution of our organization’s security compliance initiatives. This role focuses on adherence to ISO/IEC 27001 standards, the effective design and monitoring of General IT Controls (GITC), and coordination of audit and risk assessment activities.

The successful candidate will play a key role in risk mitigation, audit support, policy development, and business continuity planning. This role requires close collaboration with internal stakeholders and auditors to ensure ongoing compliance, audit readiness, and continuous improvement of our security governance framework.


Key Responsibilities:

Governance, Risk, and Compliance Program Support

  • Maintain and enhance the GRC framework aligned to ISO/IEC 27001 and other regulatory standards.
  • Support updates to the Information Security Management System (ISMS), including policies, risk treatment plans, and the Statement of Applicability (SoA).
  • Ensure documentation, controls, and processes align with applicable security and regulatory requirements.

Risk Assessment & Control Monitoring

  • Conduct routine information security and IT risk assessments to evaluate threat exposure, control effectiveness, and remediation plans.
  • Track and manage identified risks, control gaps, and mitigation activities.
  • Partner with IT and business teams to ensure appropriate and timely implementation of risk mitigation strategies.

General IT Controls Oversight

  • Support the design, documentation, and testing of key IT general controls (e.g., access controls, change management, backups, logical security).
  • Coordinate with control owners to ensure controls meet internal expectations and audit standards.
  • Perform regular control reviews and assessments to ensure audit readiness and timely resolution of deficiencies.

Audit & Assurance Support

  • Assist in internal and external audits by preparing documentation, responding to inquiries, and supporting control walkthroughs.
  • Track audit findings, document corrective actions, and monitor remediation timelines.
  • Maintain comprehensive audit records and organized evidence repositories.

Compliance Metrics & Reporting

  • Create and maintain dashboards, compliance reports, and risk registers to monitor organizational posture.
  • Schedule and track control testing activities, maintaining appropriate documentation and audit trails.
  • Monitor changes in regulatory obligations or certification requirements and evaluate their impact.

Stakeholder Engagement & Training

  • Collaborate with cross-functional teams (e.g., IT, Security, Legal, Compliance) to align control responsibilities and drive compliance awareness.
  • Contribute to security awareness initiatives and policy training programs.
  • Participate in process improvement projects that incorporate compliance and governance best practices.

Continuous Improvement

  • Recommend and implement improvements to risk and compliance programs based on audit results, testing, and emerging risks.
  • Identify opportunities to streamline evidence collection, testing, and reporting using GRC tools or automation platforms.
  • Remain up to date with industry regulations, best practices, and ISO standard updates.

Qualifications:

  • 3–5 years of experience in IT risk, compliance, or audit roles, preferably in a regulated or ISO 27001-certified environment.
  • Strong understanding of IT General Controls, ISO/IEC 27001 standards, and risk assessment methodologies.
  • Experience supporting internal/external audits and maintaining audit documentation.
  • Familiarity with GRC platforms or tools (e.g., ServiceNow GRC, Archer, LogicGate, etc.).
  • Strong analytical, organizational, and documentation skills.
  • Ability to effectively communicate with technical and non-technical stakeholders.

Preferred Qualifications:

  • ISO 27001 Lead Implementer or Lead Auditor certification is a plus.
  • Experience with Business Continuity Planning (BCP) programs and testing.
  • Background in supporting compliance with other frameworks (e.g., NIST, SOC 2, PCI DSS) is advantageous.